Setup SSL on Synology NAS: Difference between revisions

Create a self-signed SSL and root CA to sign the SSL

Prerequisites

• Diskstation must have a fixed IP address on your LAN.
• Ability to add or assign certificates to devices you want to approve your SSL.

Create certificate on DiskStation

• DSM > Control Panel > Security > Certificate
• Click Add to start the process
• Choose Create self-signed certficate
• First create a Certificate Authority (CA) that will sign the site SSL

Create Root Certificate

• Private key length: 2048
• Common name: MyCA (Any name will do, but this name is how the certificate will be identified in Mac OS's Keychain Access (see below))
• Email: myemail@domain.com
• Location: [US] United States of America
• State/Province: [state name]
• City: [city name]
• Organization: myOrg (Any name will do)
• Department: (Again, any name)
• Click Next

Create Certificate

• Private key length: 2048
• Common name: [DiskStation static IP]
• Email: myemail@domain.com
• Location: [US] United States of America
• State/Province: [state name]
• City: [city name]
• Organization: myOrg (Any name will do)
• Department: (Again, any name)
• Subject Alternative Name: [Diskstation static IP plus any aliases, separated by semicolons]
• Click Apply

Make the new certificate the default.

• DSM > Control Panel > Security > Certificate
• Select the new certificate in the list.
• Click Configure
• Select the certificate for System Default and any other relevant services.
• Click Ok.
• The web service will restart.

Renew existing certificate

• DSM > Control Panel > Security > Certificate
• Select the new certificate in the list.
• Click Renew

I exported the certificate after renewing, deleted the previous certificate on Mac OS, and re-installed the certificate (cert.pem) in Keychain Access.

After doing this, I was still getting errors in Chrome.

I restarted the NAS, and still got security errors in Chrome using the alias for the NAS.

I entered the IP of the NAS in Chrome. Chrome did not report errors using the IP. Then when entering the NAS alias, Chrome no longer reported security errors.

So I'm not sure if the restart was necessary. Maybe just entering the IP causes Chrome to release whatever cache it's holding onto.

Trust the certificate authority locally

Mac OS

Export the certificate.

• DSM > Control Panel > Security > Certificate
• Select the certificate in the list.
• Action > Export certificate
• Save the zip file locally and expand it.

Add certificate issuer to keychain as a trusted certificate authority.

• Double click on the certificate (syno-ca-cert.pem) to open the Mac OS Keychain Access app.
• Add Certificate dialog will open automatically the first time the host is added.
  • Set Keychain to "system".
  • Click Add.
  • Enter password into admin credentials prompt.
• Keychain Access app > System Keychains group > System
• Look for the host under Name and double click that line.
  • Expand the Trust group.
  • When using this certificate: Always trust
  • Close the dialog.
  • Enter password into admin credentials prompt.

Connecting to DiskStation via SSL

• Use https, of course.
• Use port 5001 and not port 5000 (http).

Reference

• How to Setup SSL on a Synology NAS - John Galea
• Guide to add self-generated root certificate authorities for 8 operating systems and browsers - BounCA
• [SOLVED] Correctly installing self-signed cert on home network - Synology community forums